Merge pull request #8817 from yuwata/cleanup-nsflags

core: allow to specify RestrictNamespaces= multiple times
author: Lennart Poettering <lennart@poettering.net> 2018-05-24 16:49:13 +0200
committer: GitHub <noreply@github.com> 2018-05-24 16:49:13 +0200
commit: cdc0f9be925c79f52452938f39013062325da27a (patch)
tree: dfd01079f60ca2b6cc85baa298911a7bb375dae9 /src/core
parent: cea79e664394d4ca89016919cef36a55dc51a369 (diff)
parent: b086654c6a75119b660235ffb08bb4963835fc7c (diff)
download: systemd-cdc0f9be925c79f52452938f39013062325da27a.tar.gz
3 files changed, 26 insertions, 18 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index f7e8798327..977ef22c94 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -1032,7 +1032,7 @@ static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(personality, unsigned long, parse_pers
 static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(secure_bits, "i", int32_t, int, "%" PRIi32, secure_bits_to_string_alloc_with_check);
 static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(capability, "t", uint64_t, uint64_t, "%" PRIu64, capability_set_to_string_alloc);
 static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(sched_policy, "i", int32_t, int, "%" PRIi32, sched_policy_to_string_alloc_with_check);
-static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(namespace_flag, "t", uint64_t, unsigned long, "%" PRIu64, namespace_flag_to_string_many_with_check);
+static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(namespace_flag, "t", uint64_t, unsigned long, "%" PRIu64, namespace_flags_to_string);
 static BUS_DEFINE_SET_TRANSIENT_TO_STRING(mount_flags, "t", uint64_t, unsigned long, "%" PRIu64, mount_propagation_flags_to_string_with_check);
 
 int bus_exec_context_set_transient_property(
diff --git a/src/core/execute.c b/src/core/execute.c
index 8cb16eb49b..939bc12b56 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3548,7 +3548,8 @@ void exec_context_init(ExecContext *c) {
         for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
                 c->directories[i].mode = 0755;
         c->capability_bounding_set = CAP_ALL;
-        c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
+        assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
+        c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
         c->log_level_max = -1;
 }
 
@@ -4250,7 +4251,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
         if (exec_context_restrict_namespaces_set(c)) {
                 _cleanup_free_ char *s = NULL;
 
-                r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
+                r = namespace_flags_to_string(c->restrict_namespaces, &s);
                 if (r >= 0)
                         fprintf(f, "%sRestrictNamespaces: %s\n",
                                 prefix, s);
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index b9b23bb278..2a11e4bbd0 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3065,11 +3065,22 @@ int config_parse_restrict_namespaces(
                 void *userdata) {
 
         ExecContext *c = data;
+        unsigned long flags;
         bool invert = false;
         int r;
 
         if (isempty(rvalue)) {
                 /* Reset to the default. */
+                c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
+                return 0;
+        }
+
+        /* Boolean parameter ignores the previous settings */
+        r = parse_boolean(rvalue);
+        if (r > 0) {
+                c->restrict_namespaces = 0;
+                return 0;
+        } else if (r == 0) {
                 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
                 return 0;
         }
@@ -3079,23 +3090,19 @@ int config_parse_restrict_namespaces(
                 rvalue++;
         }
 
-        r = parse_boolean(rvalue);
-        if (r > 0)
-                c->restrict_namespaces = 0;
-        else if (r == 0)
-                c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
-        else {
-                /* Not a boolean argument, in this case it's a list of namespace types. */
-
-                r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces);
-                if (r < 0) {
-                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue);
-                        return 0;
-                }
+        /* Not a boolean argument, in this case it's a list of namespace types. */
+        r = namespace_flags_from_string(rvalue, &flags);
+        if (r < 0) {
+                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue);
+                return 0;
         }
 
-        if (invert)
-                c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL;
+        if (c->restrict_namespaces == NAMESPACE_FLAGS_INITIAL)
+                /* Initial assignment. Just set the value. */
+                c->restrict_namespaces = invert ? (~flags) & NAMESPACE_FLAGS_ALL : flags;
+        else
+                /* Merge the value with the previous one. */
+                SET_FLAG(c->restrict_namespaces, flags, !invert);
 
         return 0;
 }
author	Lennart Poettering <lennart@poettering.net>	2018-05-24 16:49:13 +0200
committer	GitHub <noreply@github.com>	2018-05-24 16:49:13 +0200
commit	cdc0f9be925c79f52452938f39013062325da27a (patch)
tree	dfd01079f60ca2b6cc85baa298911a7bb375dae9 /src/core
parent	cea79e664394d4ca89016919cef36a55dc51a369 (diff)
parent	b086654c6a75119b660235ffb08bb4963835fc7c (diff)
download	systemd-cdc0f9be925c79f52452938f39013062325da27a.tar.gz